BILL ANALYSIS �Ó
AB 1755
Page 1
ASSEMBLY THIRD READING
AB 1755 (Gomez)
As Amended March 28, 2014
Majority vote
HEALTH 19-0
-----------------------------------------------------------------
|Ayes:|Pan, Maienschein, | | |
| |Ammiano, Gordon, Bonilla, | | |
| |Bonta, Chávez, Chesbro, | | |
| |Gomez, Gonzalez, | | |
| |Roger Hernández, | | |
| |Lowenthal, Waldron, | | |
| |Nazarian, Nestande, | | |
| |Patterson, Ridley-Thomas, | | |
| |Wagner, Wieckowski | | |
| | | | |
-----------------------------------------------------------------
SUMMARY : Changes the requirements for specified health
facilities, regarding the protection of patients' medical
information, from preventing unlawful or unauthorized access to,
and use or disclosure of, medical information, to a requirement
that these health facilities must prevent breaches of patients'
medical information. Changes the interval for the required
reporting of an incident involving a breach of patient
information to the Department of Public Health (DPH) and the
patient from five business days to requiring reporting without
unreasonable delay and no later than 60 calendar days after the
breach, as specified.
FISCAL EFFECT : None
COMMENTS : According to the author, this bill will improve
California's notice requirement specific to breaches of medical
information by moving it closer to federal law and removing an
extra administrative layer that requires health facilities
covered by state and federal laws to analyze all potential
breaches under both schemes related to notification requirements
and take different action depending on the circumstances of the
potential breach. The bill adopts the Health Information
Technology for Economic and Clinical Health Act standard, which
was adopted in regulation January 2013 after extensive public
comment and negotiation. The author states the bill clarifies
�
AB 1755
Page 2
what must be reported, changes the timing of the notification to
"as soon as reasonably possible but no later than 60 calendar
days after discovery of the breach," and given the sensitivity
of medical information, ensures that patients have the option of
designating an alternate address where notice may be sent or
received.
The author argues the existing state scheme specific to medical
information, on the other hand applies to the "unlawful or
unauthorized" access to, or use or disclosure of a patient's
medical information, requiring notification within five business
days without allowing for any consideration of risk or harm to
the patient. The author explains that because California law
does not allow for a risk assessment, health facilities must
send a notification even in the event of a minor breach that may
unnecessarily alarm a patient. According to the author, this
excessive notification requirement takes significant
administrative resources and with the short five business day
timeline in California law, is nearly unworkable. The author
concludes, by strictly specifying how patients must be notified
of these breaches, California's law does not provide adequate
security for patients, such as minors, who live at home but who
have exercised their constitutional right to keep their health
issues confidential.
The federal requirements require covered entities to provide
notification following a breach of unsecured protected health
information. In addition, it provides a 60 calendar day
timeline and allows for a risk assessment prior to notification,
ensuring that patients are made aware when there has been a
breach of their information and should take seriously the
notification in order to respond appropriately.
According to the sponsors, Planned Parenthood Affiliates of
California and the California Medical Association, there are
significant differences between the two main schemes related to
notification requirements under state and federal law. The
sponsors state that each of the two main schemes have different
timelines and method requirements for notification, a different
standard for what types of data is covered and a different
standard for what qualifies as a breach and must be reported.
The co-sponsors argue this bill ensures patients are adequately
alerted to serious medical information breaches and streamlines
requirements on health facilities saving healthcare costs and
�
AB 1755
Page 3
allowing healthcare providers to put those resources back into
patient care. The California Hospital Association supports the
bill because it would address the problems that state and
federal law are inconsistent and simplify administrative
requirements for health facilities. Other supporters argue that
better aligning of state law with the updated and thoroughly
vetted federal regulations will reduce the administrative burden
on health facilities and free up resources for patient care.
The Electronic Frontier Foundation (EFF) opposes this bill
because it will weaken existing data breach reporting
requirements by greatly delaying reporting, from the current
five business days to 60 calendar days after detection. EFF is
also concerned with the new standard using the definition of
breach which excludes certain disclosures that must be reported
in existing law but would not be in this bill. The American
Civil Liberties Union (ACLU) opposes the bill unless it is
amended to address the current bill's weakening of breach
reporting and notification standards. The ACLU is particularly
concerned that this bill significantly lengthens the time
allowed before reporting to a patient or DPH must occur.
Analysis Prepared by : Roger Dunstan / HEALTH / (916) 319-2097
FN: 0003361